Microsoft Releases 2012 Law Enforcement Requests Report

The following is a post from Brad Smith, General Counsel and Executive Vice President of Legal & Corporate Affairs at Microsoft. It was originally published on Microsoft on the Issues.

Today, we are releasing our 2012 Law Enforcement Requests Report. This is our first Law Enforcement Requests Report. It provides data on the number of requests we received from law enforcement agencies around the world relating to Microsoft online and cloud services and how we responded to those requests. All of our major online services are covered in this report, including, for example, Hotmail, Outlook.com; SkyDrive; Xbox LIVE; Microsoft Account; and Office 365. We’re also making available similar data relating to Skype, which Microsoft acquired in October 2011.

We will update this report every six months.

Our Perspective

In recent months, there has been broadening public interest in how often law enforcement agencies request customer data from technology companies and how our industry responds to these requests. Google, Twitter and others have made important and helpful contributions to this discussion by publishing some of their data. We’ve benefited from the opportunity to learn from them and their experience, and we seek to build further on the industry’s commitment to transparency by releasing our own data today.

Like others in the industry, we are releasing publicly the total number of requests we receive from law enforcement in countries around the world and the number of potentially affected accounts identified in those requests.

We are also publishing additional data that we hope will provide added insights for our customers and the public who are interested in these issues. For example, we are providing more detailed information that shows the number of law enforcement requests resulting in disclosure to these agencies of “customer content”, such as the subject line and body of an email exchanged through Outlook.com; or a picture stored on SkyDrive. We similarly are reporting on the number of law enforcement requests that result in disclosure only of “non-content” data, which includes account information such as an email address, a person’s name, country of residence, or gender, or system-generated data such as IP addresses and traffic data.

As most people recall, Microsoft acquired Skype toward the end of 2011, and the integration of our two companies advanced considerably over the course of 2012. Not surprisingly, Skype collected and retained certain data in different formats than the rest of Microsoft. It is therefore presented differently in this first report, which covers last year. Going forward, we are aligning our reporting formats across all Microsoft services, including Skype, so they can be presented in the same manner in our future reports. We also will continue to look for new ways to improve the usefulness of the data we publish, and I know we’ll benefit from the feedback that we’ll continue to receive from individuals and groups around the world.

What the Data Show

A lot of the public discussion about law enforcement requests to tech companies has focused on the benefits of transparency. While transparency is definitely valuable, it’s also important to step back when reports like this are released and ask what the data actually show. We’ve made the data available in a format that enables anyone to analyze it (and as I’ve found, the new PowerPivot feature in Excel is so easy that even a lawyer can make ready use of it). As I’ve had the opportunity in recent weeks to review all of our data and talk with the Microsoft teams that work in this area, a few themes have struck me as the most significant. I’ve therefore tried to summarize below what has struck me as some of the principal trends reflected in the data we’re releasing today:

· First, while we receive a significant number of law enforcement requests from around the world, very few actually result in the disclosure to these agencies of customer content. To be precise, last year Microsoft (including Skype) received 75,378 law enforcement requests for customer information, and these requests potentially affected 137,424 accounts or other identifiers. Only 2.1 percent, or 1,558 requests, resulted in the disclosure of customer content.

· It’s insightful, I believe, to look at the governments to whom customer content was disclosed. Of the 1,558 disclosures of customer content, more than 99 percent were in response to lawful warrants from courts in the United States. In fact, there were only 14 disclosures of customer content to governments outside the United States. These were to governments in Brazil, Ireland, Canada and New Zealand.

· Of the 56,388 cases where Microsoft (excluding Skype) disclosed some non-content information to law enforcement agencies, more than 66 percent of these were to agencies in only five countries. These were the U.S., the United Kingdom, Turkey, Germany and France. For Skype, the top five countries accounted for 81 percent of all requests. These countries were the U.K., U.S., Germany, France and Taiwan.

· Roughly 18 percent of the law enforcement requests (again, excluding Skype) resulted in the disclosure of no customer information in any form, either because Microsoft rejected the request or because no customer information was found. (We don’t have this information for Skype for 2012 because its data was not retained in this form, but we will for 2013 and the future.)

· We addressed last year a total of only 11 law enforcement requests for information relating to Microsoft’s enterprise customers. In general, we believe that law enforcement requests for information from an enterprise customer are best directed to that customer rather than a tech company that happens to host that customer’s data. That way, the customer’s legal department can engage directly with law enforcement personnel to address the issue. Last year, we either rejected or were successful in redirecting seven of these 11 requests, and in the four instances where we disclosed some enterprise customer information, we either obtained the customer’s consent before complying, or we disclosed the information pursuant to a specific contractual arrangement to process such requests on behalf of the customer. (For more on how Microsoft handles requests for enterprise customer information, please visit our FAQ here.)

· Finally, while law enforcement requests for information unquestionably are important (and raise important issues around the world), only a tiny percentage of users are potentially affected by them. We have many hundreds of millions of accounts across our online and cloud services. To give you a sense of proportion, we estimate that less than two one-hundredths of one percent (or 0.02 percent, to put it another way) were potentially affected by law enforcement requests. This broke down as follows:

o Microsoft services (excluding Skype) received 70,665 requests from law enforcement, impacting a potential 122,015 accounts or other identifiers.

o Skype received 4,713 requests from law enforcement. Those requests impacted 15,409 accounts or other identifiers, such as a PSTN number. Skype produced no content in response to these requests, but did provide non-content data, such as a SkypeID, name, email account, billing information and call detail records if a user subscribed to the Skype In/Online service, which connects to a telephone number.

What We Do

As we continue to move forward, Microsoft is committed to respecting human rights, free expression, and individual privacy. We seek to operate all of the services we own in a manner that’s consistent with our Global Human Rights Statement and responsibilities as a member of the Global Network Initiative. Like every company, we are obligated to comply with legally binding requests from law enforcement, and we respect and appreciate the role that law enforcement personnel play in so many countries to protect the public’s safety.

While these issues are sometimes complex, we strive to follow practices that are clear and straightforward:

· We require a valid subpoena or legal equivalent before we will consider releasing a customer’s non-content data to a law enforcement agency.

· We require a court order or warrant before we will consider releasing a customer’s content to law enforcement.

· We take a close look in each instance to ensure that the requests we receive for a customer’s information are in accord with the laws, rules and procedures that are applicable to requests for customer data and content.

You can find additional detailed information on our policies and practices here.

Looking Forward

This is obviously our first report of this nature. We welcome suggestions and feedback, and we’ll no doubt continue to learn from our own experience as well as from others as we move forward. If you have ideas you’d like us to consider, please send them to us by email to mcitizen@microsoft.com. Even though we may not ultimately agree with or adopt every suggestion, I know we’ll be better off for having received and considered your ideas.